Admin

Search

Jan

30

I wrote earlier in the week about the possible use of something like CAPTCHA to combat Cross-site Request Forgery attacks, and as if by magic, we see the news breaking that CAPTCHA has apparently been cracked by a team of Russian hackers. For a quick recap, CAPTCHA generates images consisting of letters and numbers, then asks the (presumably human) user of a site to enter them in order to verify that it’s a human using the service, rather than a machine.

The argument I made was that you could use something like CAPTCHA to try to verify that requests for certain services (such as check-out, or changing user profile information) was requested by a real user, rather than a javascript program pretending to be human.

The wily Russian(s) in question claim the ability to decode CAPTCHA about 35% of the time, which is probably plenty for most sites. This would probably severely hamper, if not eliminate the usefulness of CAPTCHA as part of the CSRF solution.